[oslo][keystone] admin-ness not properly scoped and oslo.policy current status about this issue

Herve Beraud hberaud at redhat.com
Wed Mar 13 18:00:58 UTC 2019


Le mer. 13 mars 2019 à 18:33, Ben Nemec <openstack at nemebean.com> a écrit :

> Tagging Keystone as I think they are better suited to answering this.
>

Yep make sense :)


> A bit more from my limited knowledge inline.
>

> On 3/13/19 12:07 PM, Herve Beraud wrote:
> > Hello
> >
> > ## Overview
> > I want to bring up this topic (admin-ness not properly scoped)[1] to get
> > a big picture of the state of this issue and that was needed on the
> > oslo.policy side.
> >
> > Few weeks ago some RHOSP customers request for an enhancement of
> > oslo.policy since their admin domain can manage other domains. They use
> > OSP13.
>
> For those not rocking fedoras, OSP 13 corresponds to Queens. :-)
>
> >
> > The goal of this ML thread is to help us to track informations about
> > this topic and I also planned to discuss about this topic during the
> > next oslo meeting (Monday 18 of March).
> >
> > ## Details
> >
> > After some investigations I've found a lot of related issues on
> > launchpad[1][2][3], and a lot of disucssions inside the openstack
> > community about this topic.
> >
> > First I guess it's not an RFE but it's a known issue.
> >
> > This bug has side-effects across several services, not just oslo or
> > keystone, making the fix complex to orchestrate across services.
> >
> > In a first time, I want to know more about the latest events on this
> > topic on the oslo side:
> > - the states of the related specs
> > (
> https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html
> ).
> > - if we need to add more changes to completely fix this issue and/or if
> > everything is complete on the oslo side and know since which version. I
> > guess this one[4] is related to.
>
> To my knowledge the Oslo side is done. I think we actually added the
> necessary fields to oslo.policy (and oslo.context?) at the end of last
> cycle. I'm not sure where the Keystone side stands, but I'm sure someone
> from that team can provide an update.
>

Yeah I guess we can bring oslo.context too since these changes like looks
to this topic too:
https://github.com/openstack/oslo.context/commit/f65408df5cd5924f2879c3ee94d07fd27cb2cf73


>
> Unfortunately, even if Keystone is completely finished, to consume this
> I _think_ it's going to require policy changes in all of the consuming
> services, and I don't know that any of those have happened yet. I
> believe it's a PTG topic for Keystone.
>
> >
> > Also due to the complexity of this issue I guess is not totally fixed on
> > the whole openstack components on stein and it can't be fully (whole)
> > backported to stable branches, but your point of view is really
> > appreciate. In other words I guess some parts are already fixed on some
> > components but some services still need to be fixed and the issue
> > partially occur on stein, so fix that on stable branches is not really
> > possible, can you confirm?
>
> Yeah, I don't expect most of this would be backportable, especially all
> the way to Queens.
>

Thanks.

>
> >
> > Also I've found few related specs that I guess can be useful to track
> > the evolution:
> > -
> >
> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/capabilities-app-creds.html
> > -
> >
> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
> > -
> >
> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
> > -
> >
> https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html
> >
> > If I missed something useful do not hesitate to reply on and to share it
> > with us.
> >
> > [1] https://bugs.launchpad.net/keystone/+bug/968696
> > [2] https://bugs.launchpad.net/keystone/+bug/1783659
> > [3] https://bugs.launchpad.net/nova/+bug/1649532
> > [4] https://bugs.launchpad.net/oslo.policy/+bug/1577996
> >
> > --
> > Hervé Beraud
> > Senior Software Engineer
> > Red Hat - Openstack Oslo
> > irc: hberaud
> > -----BEGIN PGP SIGNATURE-----
> >
> > wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
> > Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
> > RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
> > F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
> > 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
> > glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
> > m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
> > hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
> > qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
> > F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
> > B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
> > v6rDpkeNksZ9fFSyoY2o
> > =ECSj
> > -----END PGP SIGNATURE-----
> >
>
>

-- 
Hervé Beraud
Senior Software Engineer
Red Hat - Openstack Oslo
irc: hberaud
-----BEGIN PGP SIGNATURE-----

wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
v6rDpkeNksZ9fFSyoY2o
=ECSj
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190313/8bcc3981/attachment.html>


More information about the openstack-discuss mailing list